Volume 18, Issue 2 (10-2021)
JSDP 2021, 18(2): 135-146 |
Back to browse issues page
Download citation:
BibTeX | RIS | EndNote | Medlars | ProCite | Reference Manager | RefWorks
Send citation to:
BibTeX | RIS | EndNote | Medlars | ProCite | Reference Manager | RefWorks
Send citation to:
Mirjalili F, Razmara J. An intelligent behavior-based intrusion detection method for virtual machines. JSDP 2021; 18 (2) :135-146
URL: http://jsdp.rcisp.ac.ir/article-1-984-en.html
URL: http://jsdp.rcisp.ac.ir/article-1-984-en.html
University of Tabriz
Abstract: (2085 Views)
In recent years, the speed and complexity of computer networks have grown significantly. At the same time, network-based anomalies and attacks have increased. Nowadays, intrusion detection and prevention is considered as a main strategy in satisfying the security of computer systems and communication networks, and the detection of these attacks with high accuracy and the least error is very important, especially in the field of network management. Today, virtualization technology is widely developing in order to set up multiple virtual systems on a physical system. Computational clouds are the most hallmark of this technology. Intrusion detection systems play a key role in protecting cloud resources on virtual machines. An intrusion detection system has the task of monitoring events within a computer system and the communication networks, and detects unauthorized and abnormal behaviors to deal with them. The proposed systems for intrusion detection mainly use data mining, machine learning and statistical analysis of data. Therefore, it is natural that in some cases they lead to the production of false alarms. Consequently, it is essential to improve the accuracy and high detection capability of these systems. Regarding the increasing speed and complexity of these machines, it is necessary to increase the ability and accuracy of intrusion detection systems for identifying different types of attacks at a right time. In this regard, the use of behavior-based approaches has attracted more attention due to their high scalability in the large networks. The methods for intrusion detection that utilize network traffic graph clustering do not have the accuracy and appropriateness with the speed of data transfer in the current computer networks. Thus, the solutions can be improved by choosing an appropriate strategy for clustering. In this paper, a new behavior-based method for detecting intrusion in computer networks is presented. To this end, the network data was modeled through the flow of data as a traffic dispersion graph and then clustered using an improved Markov-based algorithm. Then, by analyzing a set of statistical criteria, the produced clusters, a penetration detection model was constructed. A set of modified statistical criteria was defined and utilized for analyzing the constructed clusters. The proposed model was examined and evaluated on the DARPA 99 dataset. In addition, the results of the proposed method were compared with seven other methods which work based on machine learning techniques. The results show that in the proposed method, the error detection rate is significantly reduced and the accuracy rate of the method is increased compared to seven other intrusion detection approaches. The reason for this performance improvement can be attributed to the good performance of Markov's improved clustering algorithm, which has produced more accurate results on flow-based data. Also, defining and applying appropriate criteria to determine the threshold limits is effective in obtaining accurate results. In addition, the results demonstrate that the proposed model has better capabilities than the methods which are not use graph clustering and can detect attacks with high accuracy.
Keywords: behavior-based intrusion detection, traffic dispersion graph, data flow, graph clustering, optimized Markov clustering
Type of Study: Research |
Subject:
Paper
Received: 2019/03/8 | Accepted: 2019/11/10 | Published: 2021/10/8 | ePublished: 2021/10/8
Received: 2019/03/8 | Accepted: 2019/11/10 | Published: 2021/10/8 | ePublished: 2021/10/8
References
1. [1] R. Rastgar, A. Isazadeh, J. Karimpour, "Flow-based intrusion detection based on traffic distribution graph", In 13th International Conf. on Iranian Cryptography Society, 2016.
2. [2] M. Zabihi, M. Vafaei Jahan, "An optimized accurate algorithm based on Markov clustering for web robots detection", 7th International Conf. on Iranian Operation Research, 2014. [DOI:10.1109/ICCKE.2014.6993362]
3. [3] S. Anwar, J. M. Zain, M. F. Zolkipli, Z. Inayat, S. Khan, B. Anthony, V. Chang, "From intrusion detection to an intrusion response system: fundamentals, requirements, and future directions", Algorithms, vol. 10(39), 2017. [DOI:10.3390/a10020039]
4. [4] U.H. Rao, U. Nayak, "Intrusion Detection and Prevention Systems", The InfoSec Handbook. Apress, Berkeley, CA. 2014. [DOI:10.1007/978-1-4302-6383-8_11]
5. [5] E. Viegas, A. O. Santin, A. Franca, R. Jasinski, V. A. Pedroni and L. S. Oliveira, "Towards an Energy-Efficient Anomaly-Based Intrusion Detection Engine for Embedded Systems"-, IEEE Transactions on Computers, vol. 66 (1), pp. 163-177, 2017. [DOI:10.1109/TC.2016.2560839]
6. [6] A. Sperotto, "Flow-based intrusion detection", Ph.D. Dissertation, University of Twente, 2010.
7. [7] L. Hellemons, L. Hendriks, R. Hofstede, A. Sperotto, R. Sadre, and A. Pras, "Sshcure: a flow-based ssh intrusion detection system", Dependable Networks and Services, LNCS vol. 7279, pp.86-97, 2012. [DOI:10.1007/978-3-642-30633-4_11]
8. [8] M. Iliofotou, P. Pappu, M. Faloutsos, M. Mitzenmacher, S. Singh, and G. Varghese, "Network traffic analysis using traffic dispersion graphs (tdgs): techniques and hardware implementation", UCR Technical Report, 2007. [DOI:10.1145/1298306.1298349]
9. [9] D. Q. Le, T. Jeong, H. E. Roman, and J. W.-K. Hong, "Traffic dispersion graph based anomaly detection", In Proc. of the Second Sym. on Information and Communication Technology, pp.36-41, ACM, 2011.
10. [10] D. Q. Le, T. Jeong, H. E. Roman, and J. W. Hong, "Trafic dispersion graph based anomaly detection", In Proc. of the Second Sym. on Information and Communication Technology, pp. 36-41, ACM, 2011
11. [11] P. Manandhar and Z. Aung, "Towards practical anomaly-based intrusion detection by outlier mining on tcp packets", Database and Expert Systems Applications, LNCS vol. 8645, pp. 164-173, 2014. [DOI:10.1007/978-3-319-10085-2_14]
12. [12] H. A. Kholidy, F. Baiardi, "CIDD: A Cloud Intrusion Detection Dataset for Cloud Computing and Masquerade Attacks", 9th International Conference on Information Technology - New Generations, Las Vegas, NV, USA, 2012. [DOI:10.1109/ITNG.2012.97]
13. [13] R. Lippmann, J.W. Haines, D. J. Fried, J. Korba, and K. Das, "The 1999 darpa off-line intrusion detection evaluation", Computer networks, vol. 34(4), pp. 579-595, 2000. [DOI:10.1016/S1389-1286(00)00139-0]
14. [14] S. M. Dongen, "Graph Clustering by Flow Simulation", PhD Dissertation, University of Utrecht, 2000.
15. [15] G. P. Guptaa, M. Kularivaa, "A Framework for Fast and Efficient Cyber Security Network Intrusion Detection using Apache Spark", 6th Int. Conf. on Advances in Computing & Communications, 2016, 6-8 September 2016. Procedia Computer Science 93, pp. 824 - 831. [DOI:10.1016/j.procs.2016.07.238]
Send email to the article author
| Rights and permissions | |
 |
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. |
